Overview
Explains the application of MACsec in VPLS/EVPN and MPLS core networks, detailing how to implement encryption on physical interfaces and link bundles to secure data between geographically distributed data centers.
To elucidate the application of MACsec in Wide Area Network (WAN) environments, with a specific emphasis on its implementation in VPLS/EVPN networks and MPLS core networks. This section outlines the configuration of MACsec on physical interfaces and link bundles to improve data security between geographically distributed data centers.
Use Case 1: MACsec in a VPLS/EVPN
In a typical Virtual Private LAN Service (VPLS) network, the risk of labeled traffic injection by potential hackers is prevalent. To counter this, MACsec is implemented in a VPLS/EVPN network to encrypt data exchanged over the VPLS cloud. In this topology, MACsec is configured on the provider edge (PE)-facing interfaces of the customer edge (CE) routers.
Use Case 2: MACsec in an MPLS Core Network
MACsec can be deployed in a Multiprotocol Label Switching (MPLS) core network on either physical interfaces or link bundles, also known as Link Aggregation Groups (LAG). This setup is particularly beneficial for MPLS networks that connect data centers located in different geographies, ensuring that all data exchanged is encrypted.
-
Physical Interfaces: MACsec is configured on all router links within the MPLS core. This ensures secure data exchange across links connecting disparate data centers.
Figure 2. MACsec on Physical Interfaces in an MPLS Core Network
-
Link Bundles (LAG): When MACsec is configured on LAG members, a MACsec Key Agreement (MKA) session is established for each member. Secure Association Keys (SAK) are exchanged, allowing encryption and decryption to occur independently for each member in the group.
Figure 3. MACsec on a Link Bundle in an MPLS Core Network
